Fix
Fix Library
Practical playbooks and best-practice guides. Apply changes at your CDN/edge or reverse proxy when possible, then rerun checks.
Showing 20 issue playbooks and 18 topic guides.
Common fixes
Practical issue playbooks you can apply immediately.
Cache-Control Basics
Use correct cache rules to improve speed without caching sensitive content.
Category: caching
CORS Preflight Failing
Fix OPTIONS handling and align allowed methods/headers for cross-origin requests.
Category: cors
CORS Wildcard Too Broad
Avoid Access-Control-Allow-Origin: * for sensitive endpoints (especially with credentials).
Category: cors
DNS MX Missing
Add MX records so email can be delivered to your domain.
Category: dns
DNS NXDOMAIN
Fix missing DNS records or wrong nameserver delegation that returns NXDOMAIN.
Category: dns
HTTP → HTTPS Redirect
Force HTTPS at the edge and ensure the app is consistent behind proxies.
Category: redirects
Insecure Cookies
Ensure auth cookies are Secure, HttpOnly, and have an appropriate SameSite policy.
Category: security
Missing CSP
Add Content-Security-Policy to reduce XSS and risky third-party script execution.
Category: security
Missing HSTS
Add Strict-Transport-Security so browsers always use HTTPS for your domain.
Category: security
Missing Permissions-Policy
Reduce risk by restricting camera/mic/geolocation and other powerful features.
Category: security
Missing Referrer-Policy
Limit how much referrer information is shared when users navigate away.
Category: security
Missing X-Content-Type-Options
Disable MIME sniffing to reduce content-type confusion attacks.
Category: security
Missing X-Frame-Options
Prevent clickjacking by controlling whether your site can be embedded in iframes.
Category: security
Mixed Content Basics
Remove HTTP subresources on HTTPS pages (images/scripts/fonts) to avoid browser blocking.
Category: content
Redirect Loop
Stop infinite redirects caused by conflicting rules between app, CDN, and proxy.
Category: redirects
Sitemap + Robots Basics
Ensure crawlers can discover your core pages without indexing sensitive/temporary routes.
Category: seo
Slow TTFB Basics
Improve server response time by reducing expensive work and using caching appropriately.
Category: performance
SSL Certificate Expired
Renew/replace your TLS certificate to restore HTTPS trust and prevent hard failures.
Category: ssl
Too Many Redirects
Reduce redirect chains (SEO + speed). Aim for 0–1 redirects for main pages.
Category: redirects
Uptime Monitoring Basics
Set up simple monitoring so you get alerted when core endpoints fail.
Category: monitoring
Topic guides
Cache-Control
Controls browser and intermediary caching behavior for responses.
Includes fix steps
Clear-Site-Data
Instructs the browser to clear site data like cookies, storage, and cache (useful for logout or account changes).
Includes fix steps
COEP (Cross-Origin-Embedder-Policy)
Controls which cross-origin resources can be loaded by requiring CORP/CORS compliance (often used for cross-origin isolation).
Includes fix steps
Content Security Policy (CSP)
CSP reduces XSS risk by controlling which sources can load scripts, styles, images, and more.
Includes fix steps
COOP (Cross-Origin-Opener-Policy)
Controls whether your top-level page shares a browsing context group with cross-origin documents (security/isolation).
Includes fix steps
CORP (Cross-Origin-Resource-Policy)
Allows a resource to declare whether it can be requested from other origins (helps COEP / prevents leaks).
Includes fix steps
CORS (Access-Control-Allow-*)
CORS controls which origins can read responses from your server when browsers make cross-origin requests.
Includes fix steps
ETag
Enables conditional requests to reduce bandwidth by reusing cached content when unchanged.
Includes fix steps
Expires
Legacy caching header that sets an absolute expiration date/time for content.
Includes fix steps
HSTS (Strict-Transport-Security)
HSTS forces browsers to use HTTPS for your domain, preventing downgrade attacks and reducing SSL-stripping risk.
Includes fix steps
Permissions-Policy
Restricts access to powerful browser features (camera, mic, geolocation, etc.) across your site.
Includes fix steps
Referrer-Policy
Controls how much referrer information is sent when navigating away from your site.
Includes fix steps
Reporting headers (Report-To / NEL)
Reporting headers help browsers send structured reports for network errors and policy violations (useful for diagnostics and security monitoring).
Includes fix steps
Server / X-Powered-By disclosure
Server and X-Powered-By headers can reveal stack details; reducing exposure can be beneficial.
Includes fix steps
X-Content-Type-Options
Prevents MIME-sniffing by forcing the browser to respect the declared Content-Type.
Includes fix steps
X-DNS-Prefetch-Control
Controls whether the browser may prefetch DNS for links on the page (performance/privacy tradeoff).
Includes fix steps
X-Frame-Options
Helps protect against clickjacking by controlling whether your site can be embedded in an iframe.
Includes fix steps
X-XSS-Protection (legacy)
Legacy header for old browser XSS filters. Modern browsers ignore it; CSP is the modern defense.
Includes fix steps